<emily>
abathur: another thing I thought about re: the keychain/volume approach, should probably set the key to not just be accessible be any application
<emily>
security(1) can do that, but not sure how it'd interact with the system daemon; maybe it'd need putting in its own binary/shell script to be able to be granted perms like that
<abathur>
I suspect so yeah
<abathur>
I've had that thought
<emily>
the shopify script sets it to some process named APFSAgent or something
<emily>
which didn't seem to do anything for me
<abathur>
it is at least in the system keychain, so AFAIK whatever was trying to check it would still need to be using root/sudo
<abathur>
well
<abathur>
my best guess is that shopify is just mirroring what the system does if you create an encrypted volume, try to mount it, and let the system save the credentials
<abathur>
so, if you don't add APFSUserAgent
<abathur>
*and* you don't mount it with a launchdaemon
<emily>
ah, mhm
<abathur>
when the system finally gets around to trying, it'll prompt you to ask if APFSUserAgent can access <credential label>
<emily>
probably good to include APFSUserAgent in there anyway, if we're mirroring the UUID setup and so on
<abathur>
and give you a chance to say allow/deny/always allow
<emily>
(so that things can still potentially work sans-daemon)
<abathur>
kinda :]
<abathur>
I actually just committed that, but lilyball proposed something that I think makes sense
<abathur>
so my reluctance to add them was because I thought it was marginally better for the system to prompt you about the credential than to just silently start auto-mounting the drive and potentially cause the race condition issues
<abathur>
but lilyball suggested just adding noauto to the fstab
<abathur>
so, it'd have the right credentials set up to auto-mount if needed, but will hopefully still require some user action, giving the user a chance to fix whatever's wrong with the launchdaemon?
<abathur>
(I have yet to actually test this; working towards that now)
<abathur>
I guess it's easy enough to test the access bit
supersandro2000 has quit [Disconnected by services]
supersandro2000 has joined #nix-darwin
<abathur>
oh, I guess we'll get an interesting test
<abathur>
I think, when I'm not using -T, it auto-adds /usr/bin/security to that list
<abathur>
but the code I just started using does specify APFSUserAgent and CFUserAgent or whatever--so I guess it may prompt and fall over unless root wins
<emily>
I half suspect that it just works anyway from launchdaemons
<emily>
from my past fiddling
<emily>
but only one way to find out I suppose
<abathur>
:]
manveru has quit [Ping timeout: 260 seconds]
manveru has joined #nix-darwin
<abathur>
it didn't work without adding security
<abathur>
also, adding noauto did have the intended effect
<abathur>
I guess it's debatable how well it'll actually drive people to look into it
<abathur>
it does fail fairly silently by itself, so I guess someone who rarely uses Nix and has no regular dependency on the volume could have it broken for a while before they notice; but I guess that's also true of all kinds of things
<emily>
having to add security is very unfortunate; basically means no access controls
<emily>
if we made the mounter a tiny C/Swift/Rust binary we could add it directly right? it didn't work when I tried adding a shell script unfortunately
supersandro2000 has quit [Disconnected by services]
supersandro2000 has joined #nix-darwin
Chiliparrot has joined #nix-darwin
dhess has joined #nix-darwin
philr has quit [Ping timeout: 246 seconds]
philr has joined #nix-darwin
<abathur>
I think so
philr has quit [Ping timeout: 260 seconds]
cbarrett has quit [Read error: Connection reset by peer]
cbarrett has joined #nix-darwin
<johnw>
greetings all
<abathur>
greetings :)
<antifuchs>
emily: correct, if the binary uses the keychain access framework (I forgot the name), that's what you'd allowlist
<antifuchs>
I believe you have to guarantee a stable pathname on the binary though
<antifuchs>
(or make it an app bundle and you get to allowlist the app ID... I think)
Chiliparrot has quit [Quit: My iMac has gone to sleep. ZZZzzz…]